ext/authx/authx.php

   1 <?php
   2
   3 require_once 'authx.civix.php';
   4 // phpcs:disable
   5 use CRM_Authx_ExtensionUtil as E;
   6 // phpcs:enable
   7
   8 Civi::dispatcher()->addListener('civi.invoke.auth', function($e) {
   9   $params = ($_SERVER['REQUEST_METHOD'] === 'GET') ? $_GET : $_POST;
  10   $siteKey = $_SERVER['HTTP_X_CIVI_KEY'] ?? $params['_authxSiteKey'] ?? NULL;
  11
  12   if (!empty($_SERVER['HTTP_X_CIVI_AUTH'])) {
  13     return (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'xheader', 'cred' => $_SERVER['HTTP_X_CIVI_AUTH'], 'siteKey' => $siteKey]);
  14   }
  15
  16   if (!empty($_SERVER['HTTP_AUTHORIZATION']) && !empty(Civi::settings()->get('authx_header_cred'))) {
  17     return (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'header', 'cred' => $_SERVER['HTTP_AUTHORIZATION'], 'siteKey' => $siteKey]);
  18   }
  19
  20   if (!empty($params['_authx'])) {
  21     if ((implode('/', $e->args) === 'civicrm/authx/login')) {
  22       (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'login', 'cred' => $params['_authx'], 'useSession' => TRUE, 'siteKey' => $siteKey]);
  23       _authx_redact(['_authx']);
  24     }
  25     elseif (!empty($params['_authxSes'])) {
  26       (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'auto', 'cred' => $params['_authx'], 'useSession' => TRUE, 'siteKey' => $siteKey]);
  27       if ($_SERVER['REQUEST_METHOD'] === 'GET') {
  28         _authx_reload(implode('/', $e->args), $_SERVER['QUERY_STRING']);
  29       }
  30       else {
  31         _authx_redact(['_authx', '_authxSes']);
  32       }
  33     }
  34     else {
  35       (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'param', 'cred' => $params['_authx'], 'siteKey' => $siteKey]);
  36       _authx_redact(['_authx']);
  37     }
  38   }
  39
  40   // Accept legacy auth (?key=...&api_key=...) for 'civicrm/ajax/rest' and 'civicrm/ajax/api4/*'.
  41   // The use of `?key=` could clash on some endpoints. Only accept on a small list of endpoints that are compatible with it.
  42   if (count($e->args) > 2 && $e->args[1] === 'ajax' && in_array($e->args[2], ['rest', 'api4'])) {
  43     if ((!empty($_REQUEST['api_key']) || !empty($_REQUEST['key']))) {
  44       return (new \Civi\Authx\LegacyRestAuthenticator())->auth($e, ['flow' => 'legacyrest', 'cred' => 'Bearer ' . $_REQUEST['api_key'] ?? '', 'siteKey' => $_REQUEST['key'] ?? NULL]);
  45     }
  46   }
  47 });
  48
  49 /**
  50  * Perform a system login.
  51  *
  52  * This is useful for backend scripts that need to switch to a specific user.
  53  *
  54  * As needed, this will update the Civi session and CMS data.
  55  *
  56  * @param array{flow: ?string, useSession: ?bool, principal: ?array, cred: ?string,} $details
  57  *   Describe the authentication process with these properties:
  58  *
  59  *   - string $flow (default 'script');
  60  *     The type of authentication flow being used
  61  *     Ex: 'param', 'header', 'auto'
  62  *   - bool $useSession (default FALSE)
  63  *     If TRUE, then the authentication should be persistent (in a session variable).
  64  *     If FALSE, then the authentication should be ephemeral (single page-request).
  65  *
  66  *   And then ONE of these properties to describe the user/principal:
  67  *
  68  *   - string $cred
  69  *     The credential, as formatted in the 'Authorization' header.
  70  *     Ex: 'Bearer 12345', 'Basic ASDFFDSA=='
  71  *   - array $principal
  72  *     Description of a validated principal.
  73  *     Must include 'contactId', 'userId', xor 'user'
  74  * @return array{contactId: int, userId: ?int, flow: string, credType: string, useSession: bool}
  75  *   An array describing the authenticated session.
  76  * @throws \Civi\Authx\AuthxException
  77  */
  78 function authx_login(array $details): array {
  79   $defaults = ['flow' => 'script', 'useSession' => FALSE];
  80   $details = array_merge($defaults, $details);
  81   $auth = new \Civi\Authx\Authenticator();
  82   $auth->setRejectMode('exception');
  83   $auth->auth(NULL, array_merge($defaults, $details));
  84   return \CRM_Core_Session::singleton()->get("authx");
  85 }
  86
  87 /**
  88  * @return \Civi\Authx\AuthxInterface
  89  */
  90 function _authx_uf() {
  91   $class = 'Civi\\Authx\\' . CIVICRM_UF;
  92   return class_exists($class) ? new $class() : new \Civi\Authx\None();
  93 }
  94
  95 /**
  96  * For parameter-based authentication, this option will hide parameters.
  97  * This is mostly a precaution, hedging against the possibility that some routes
  98  * make broad use of $_GET or $_PARAMS.
  99  *
 100  * @param array $keys
 101  */
 102 function _authx_redact(array $keys) {
 103   foreach ($keys as $key) {
 104     unset($_POST[$key], $_GET[$key], $_REQUEST[$key]);
 105   }
 106 }
 107
 108 /**
 109  * Reload the current page-view.
 110  *
 111  * @param string $route
 112  * @param string $queryString
 113  */
 114 function _authx_reload($route, $queryString) {
 115   parse_str($queryString, $query);
 116   foreach (array_keys($query) as $key) {
 117     if (CRM_Utils_String::startsWith($key, '_authx')) {
 118       unset($query[$key]);
 119     }
 120   }
 121   $url = CRM_Utils_System::url($route, $query, TRUE, NULL, FALSE, CRM_Core_Config::singleton()->userSystem->isFrontEndPage());
 122   CRM_Utils_System::redirect($url);
 123 }
 124
 125 /**
 126  * Implements hook_civicrm_config().
 127  *
 128  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_config/
 129  */
 130 function authx_civicrm_config(&$config) {
 131   _authx_civix_civicrm_config($config);
 132 }
 133
 134 /**
 135  * Implements hook_civicrm_install().
 136  *
 137  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_install
 138  */
 139 function authx_civicrm_install() {
 140   _authx_civix_civicrm_install();
 141
 142 }
 143
 144 /**
 145  * Implements hook_civicrm_postInstall().
 146  *
 147  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_postInstall
 148  */
 149 function authx_civicrm_postInstall() {
 150   _authx_civix_civicrm_postInstall();
 151 }
 152
 153 /**
 154  * Implements hook_civicrm_uninstall().
 155  *
 156  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_uninstall
 157  */
 158 function authx_civicrm_uninstall() {
 159   _authx_civix_civicrm_uninstall();
 160 }
 161
 162 /**
 163  * Implements hook_civicrm_enable().
 164  *
 165  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_enable
 166  */
 167 function authx_civicrm_enable() {
 168   _authx_civix_civicrm_enable();
 169   // If the system is already using HTTP `Authorization:` headers before installation/re-activation, then
 170   // it's probably an extra/independent layer of security.
 171   // Only activate support for `Authorization:` if this looks like a clean/amenable environment.
 172   // @link https://github.com/civicrm/civicrm-core/pull/22837
 173   if (empty($_SERVER['HTTP_AUTHORIZATION']) && NULL === Civi::settings()->getExplicit('authx_header_cred')) {
 174     Civi::settings()->set('authx_header_cred', ['jwt', 'api_key']);
 175   }
 176 }
 177
 178 /**
 179  * Implements hook_civicrm_disable().
 180  *
 181  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_disable
 182  */
 183 function authx_civicrm_disable() {
 184   _authx_civix_civicrm_disable();
 185 }
 186
 187 /**
 188  * Implements hook_civicrm_upgrade().
 189  *
 190  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_upgrade
 191  */
 192 function authx_civicrm_upgrade($op, CRM_Queue_Queue $queue = NULL) {
 193   return _authx_civix_civicrm_upgrade($op, $queue);
 194 }
 195
 196 /**
 197  * Implements hook_civicrm_entityTypes().
 198  *
 199  * Declare entity types provided by this module.
 200  *
 201  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_entityTypes
 202  */
 203 function authx_civicrm_entityTypes(&$entityTypes) {
 204   _authx_civix_civicrm_entityTypes($entityTypes);
 205 }
 206
 207 /**
 208  * Implements hook_civicrm_permission().
 209  *
 210  * @see CRM_Utils_Hook::permission()
 211  */
 212 function authx_civicrm_permission(&$permissions) {
 213   $permissions['authenticate with password'] = E::ts('AuthX: Authenticate to services with password');
 214   $permissions['authenticate with api key'] = E::ts('AuthX: Authenticate to services with API key');
 215 }
 216
 217 // --- Functions below this ship commented out. Uncomment as required. ---
 218
 219 /**
 220  * Implements hook_civicrm_preProcess().
 221  *
 222  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_preProcess
 223  */
 224 //function authx_civicrm_preProcess($formName, &$form) {
 225 //
 226 //}
 227
 228 /**
 229  * Implements hook_civicrm_navigationMenu().
 230  *
 231  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_navigationMenu
 232  */
 233 function authx_civicrm_navigationMenu(&$menu) {
 234   _authx_civix_insert_navigation_menu($menu, 'Administer/System Settings', [
 235     'label' => E::ts('Authentication'),
 236     'name' => 'authx_admin',
 237     'url' => 'civicrm/admin/setting/authx',
 238     'permission' => 'administer CiviCRM',
 239     'operator' => 'OR',
 240     'separator' => 0,
 241   ]);
 242   _authx_civix_navigationMenu($menu);
 243 }